Software Makers with US Government Customers Have a Year (or Less) to Provide Self-Attestations; FishPig Hit with Supply Chain Attack; Microsoft Patch Tuesday Includes Fix for Flaw Added to Known Exploited Vulnerabilities Catalog

If you’re a software producer with any sales in federal government space, this is huge. You’ll have 365 days (or 270 days if your software is considered “critical” by the procuring agency) to get your attestations together. While the agency standard attestation forms are not yet released, software producers should be looking at SP 800-218 now and beginning their gap assessments now as most development orgs do not meet the requirements in SP 800-218.

Jake Williams

This is a big (huge) deal as the scope includes firmware, operating systems, applications and application services (a.k.a. cloud service) as well as all products containing software. Read the scope carefully as it also limits the requirement to software developed, or major versions changes to existing software after the memorandum date. Agencies are already identifying critical software as part of FISMA data reporting to DHS. Critical software includes software that provides security services such as firmware, operating systems, EDR, etc. If you have federal customers, brush up on the memo and 800-218 to develop a plan for providing attestation to your customers.

Lee Neely

I always worry when I see phrases such as “agencies are required to obtain a self-attestation from the software producer before using the software.” Time and time again we have witnessed self-regulation industry fail the consumer and customers. Which is why I find the EU proposal for the Cyber Resilience Act which will require independent certification relating to the security of hardware and software devices an exciting and promising development as vendors will legally be required to ensure their products meet minimum security standards. https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

Brian Honan

One small step in the essential direction of holding suppliers accountable for any malicious code that they ship.

William Hugh Murray

This is a far simpler software supply chain attack than SolarWinds, and yet still very impactful. The .php script drops a Rekoobe malware variant to disk and executes it. Threat actors dropped the malware to /tmp and executed it from there. This is where detection engineering comes into play. Hidden files executing from the /tmp directory, especially immediately after being written to disk, should be extremely rare. If you have the right telemetry in place, this is trivial to detect. The threat actors write to /tmp because it's world writable and they can't count on the web server running under a privileged account.

Jake Williams

It looks like FishPig had no controls to detect a compromise of its software. No digital signatures and no verification that the software deployed on its download servers matches the software that should be deployed. Detection happened by a third party, not the vendor.

Johannes Ullrich

Follow the steps on the FishPig Security Announcement to verify if you are or are not affected; they provide a script which both checks your extensions and makes recommendations. Next you need to update/reinstall FishPig. Lastly you need to reboot to clear the malware from memory; this has to be done after clearing the compromised extensions.

Lee Neely

A PoC exploit has been released for one of the critical IKE vulnerabilities. These vulnerabilities have a lot of potential to cause havoc, and the only thing saving us here is that the two attacked features, IPSEC and IPv6, are not widely deployed.

Johannes Ullrich

It’s September, students are back in school, we’re back from vacations, ready to ease back into work - not so much this week. Microsoft, Apple and Adobe have all released updates to critical vulnerabilities you need to jump on. Don’t panic - make sure you’ve got backups in case you need to roll back and start your deployment as usual. The five critical flaws for Windows have CVSS scores from 7.8 to 9.8, don’t be fooled, CVE-2022-34718 is wormable, CVE-2022-37869 is privilege escalation, CVE-2022-35085 a similar flaw more easily exploited, CVE-2022-34718 allows an unauthenticated attacker to execute code with privileges, and lastly CVE-2022-37969 fixes a possible bypass scenario to a prior patch of the Windows Log system.

Lee Neely

The number of vulnerabilities that Microsoft patches each month might suggest that they are very good at finding vulnerabilities. However, patching is both an expensive and risky way to achieve essential quality. Much better to detect the vulnerabilities as part of the quality control process.

William Hugh Murray

IoT attacks are often considered "nuisance" attacks by bots like Mirai. But among the immense noise created by these bots, we do have more sophisticated attacks that use vulnerable devices like these VoIP systems as a steppingstone to enter otherwise reasonably well-protected networks. Reminds me to finally put my automated cat feeder into the IoT VLAN.

Johannes Ullrich

Remember your VoIP system is a computer and needs to be kept updated, securely configured, and monitored for unexpected activity. Take that a step further: consider almost every system we use today as a computer which needs to be kept secured, ideally asking for that activity to be incorporated into the deployment plan, which may then trigger needs for added cyber resources.

Lee Neely

One thing often overlooked when it comes to procuring smart devices (may it be a car that interfaces with a smart phone or a wifi controlled infusion pump) is the fact that vendors typically have rather limited “end of support” timelines. We are used to have devices like this last for a decade or longer while software support often expires after a couple years. Will your car still be able to interface with the phone released in 2032?

Johannes Ullrich

These devices have a 10-30 year lifespan, and when they were installed the threat landscape was nothing like it is today. In many cases you’re unlikely to be ready to retire them and may not be able to update them either. Aside from formally tacking the lifecycle of these devices, make sure they are as isolated as possible, have firm plans (which may require hard conversations) about keeping them updated.

Lee Neely

Intuitively the risk is to the health of patients. However, security is a space in which intuition does not serve us well. More likely is the risk that, using gratuitous general purpose operating system code in the device, it will be co-opted into a botnet.

William Hugh Murray

The threat actors are changing payment (ACH, Direct Deposit, etc.) to send information to their accounts rather than where expected. This means that you should not only check your personal accounts for fraudulent charges, but also verify corporate payment destinations are valid. Make sure that you have secondary validation of payment account changes, customer or corporate as well as enforce multi-factor authentication making credential compromise attacks much harder. Review the FBI recommendations to find other mitigations you may not have otherwise considered.

Lee Neely

If you’re considering migrating to the browser-based Teams app, consider the browser chosen. Not all browser versions support teams fully and not all browsers have equivalent security protections. Consider Chromium Edge or Chrome for optimal experience. Even so, there is a reduction of functionality. Note that for Linux users EOL for the Linux desktop Teams client is December 22, so the browser version will be their only option. Monitoring access to the identified files by processes other than the Teams application and implementing a response mechanism may be far more acceptable to end users than switching to the browser-based app.

Lee Neely

With increased attention on supply chain security, expect more security processes and teams to be incorporated into services and products used to develop code. With luck tools will be developed, such as the govulcheck tool from the Go initiative, to flag code for vulnerabilities, making it easier to fix and release secure code.

Lee Neely

Make sure that firmware updates are in your SOP for keeping systems secure. Also make sure that you’re only deploying genuine firmware updates. If you’re worried about your HP firmware, Binarly has released an open-source tool “FwHunt” to scan for UEFI firmware vulnerabilities.

Lee Neely

Unlike the old hard-wired analog devices of the past, modern IoT security cameras need to be kept updated. And the frequency of those updates may not be sufficient for all scenarios, which means they should be able to connect only to the services they absolutely need. Use a separate network or SSID, just as your old CCTV system was dedicated to that purpose. Lastly, if your vendor seems disinclined to address security issues, you should be disinclined to continue using their devices.

Lee Neely

Note there are three Linux kernel flaws listed as well, but you have until October 6th to fix them. Don’t overlook Linux in your monthly patch cycle.

Lee Neely